In recent years, the techniques of hacking secured microprocessor integrated circuits (microprocessors, microcontrollers, microprocessor memories, coprocessor integrated circuits, etc.) have developed considerably. The most advanced hacking methods currently involve injecting errors at determined points of an integrated circuit during the execution of so-called sensitive operations, such as authentication operations or operations of executing a cryptography algorithm for example. Such attacks by error injection, also referred to as attacks by fault injection, enable, in combination with mathematical models, the structure of a hard-wired logic cryptography algorithm and/or the secret keys it uses to be deduced. The error injection can be done in various ways, by introducing glitches into the supply voltage of the integrated circuit, by introducing glitches into the clock signal of the integrated circuit, by exposing the integrated circuit to radiations, etc.
Coprocessors are frequently used in integrated circuits to perform specific calculations. A coprocessor is generally a peripheral microprocessor element (integrated onto the same silicon chip) used to perform determined calculations, particularly to offload the microprocessor and/or to speed up the execution time of the calculations. To this end, a coprocessor generally comprises a calculation unit (also called “data path”), a unit for controlling the calculation unit, and registers enabling input data to be loaded into the coprocessor, the coprocessor to be configured, the results of the calculations to be retrieved and the end of the calculations to be notified. The control unit is generally a state machine having a determined number of states (“finite state machine”) which drives the calculation unit according to a command received. The assembly is generally hard-wired, and thus differs from a microprocessor in that it is not intended to execute a program having codes-instructions but only to execute a determined number of commands each corresponding to a determined calculation.
Now, in secured integrated circuits such as those that are incorporated into smart cards, coprocessors are frequently used to perform “sensitive” calculations, particularly cryptographic calculations, and thus handle secret keys. They are therefore mainly the target of attacks by error injection. The detection of an error injection in a coprocessor is therefore a measure to guarantee a high level of security to secured integrated circuits.
A method for monitoring the execution of a program is already known, particularly through EP 1,161,725, which involves producing cumulative signatures that vary according to the codes-instructions that run in the instruction register of a microprocessor. Such a method enables a derailment of the program being executed, particularly due to an error injection, to be detected, but does not apply to a hard-wired logic coprocessor that does not execute codes-instructions but which performs calculation sequences predefined by commands. Furthermore, the detection of a derailment in the execution of a program by a microprocessor does not enable an attack on the related coprocessor to be detected, since the latter processes each command sent by the microprocessor without interacting with the same while the processing of the command is not completed.
One classical method of detecting an attack on a coprocessor involves repeating a calculation sequence performed by the coprocessor several times, then comparing the results obtained. If these results are identical, it emerges that no attack has occurred. In this way, to make a successful attack, the error injection must be repeated several times, and in an identical manner in terms of its effects and temporal aspects. However, this method multiplies the calculation times by the number of iterations, which is a major disadvantage. Further, if an error is highlighted in connection with the state of a state machine, the injection of a fault can result in skipping a state, and thus in masking the error.
Another classical method involves providing a logic circuit dedicated to detecting error injections. Regarding the calculation unit of the coprocessor, which has no deterministic properties since the data transiting therein are not predictable, this dedicated logic circuit is formed by redundant data paths in the calculation block, which compares the identity of the signals in the redundant paths on the fly. The detection of a difference between two redundant signals triggers the activation of an error signal. Regarding the control unit of the coprocessor, which generally has a deterministic aspect, a signature circuit is used which calculates a signature, throughout the operation performed by the coprocessor, using certain control signals controlling the calculation unit. At the end of the calculation, the calculated signature is compared with an expected signature, and if a difference is detected, revealing an error injection, an alert signal is activated. Now, the comparison, whether performed by software or by a circuit, can be bypassed by an appropriate error injection. This method thus has a flaw.